RAATS WIFI




Wi-Fi is a Passion

blogs

Security - WPA2-Personal



Since these blogposts are preparing for my CWAP, there will be no blogpost about WPA-personal. This blog is how to identify WPA2-personal in the frames, during which I’ll point out the differences between WPA/WPA2 and Personal/Enterprise. There will be a separate blogpost about WPA2-Enterprise in detail as well.

Below there is a beacon frame, a good point to start with. The beacon frames have all the information about the wireless network. Under the RSN Information, Pairwise Cipher Suite you see that it uses AES/CCM. WPA-Personal uses RC4/TKIP. So, this shows that this network uses WPA2. Now the next step is, is it Personal or Enterprise. Under Auth Key Management (AKM) it shows Pre-Shared Key (PSK). It is not the first time that WireShark makes it easier. When the network use WPA2-Enterprsie the AKM is 00-0f-ac:01. When the network use WPA2-Personal, the AKM is 00-0f-ac:02.

WPA2-PSK

The whole process with WPA2-personal looks like this:

OSAProcess

First you have the authentication frame from the client and the acknowledgment from the access point followed by an authentication frame from the access point replied with an ack from the client. After that the client transmits an association request and an ack from the access point followed by an association response from the access point and as last the ack from the client.

When the Open System Authentication is done, the 4-way handshake is coming up.

4wayProcess

In the first key (M1) is from the access point to the client and the access point generates an Authenticator Number Once (ANonce) and you can find this back in the frames.

m1

The second key is from the client to the access point and this includes the Supplicant Number Once (SNonce) and the Message Integrity Check (MIC). The WPA Key Nonce is different than the WPA Key Nonce in the previous screen (M1 key). This is the SNonce.

m2

In the M3 key, that is from the access point to the client, you see that the PTK that is derived will be installed. You can also see that the WPA Key Nonce is the same as the WPA Key Nonce in the first key (M1) so, this is the ANonce.

m3

The last key (M4) is from the client to the access point. You see that the Install is set back to 0, and only the MIC is set (not the WPA Key Nonce).

After the 4-way handshake data packages will be exchanged.

m4